Charles HerringConsulting Security Architect@charlesherringProtecting the Crown JewelsOutlineWhat are Crown Jewels?Who is Attacking?Where to Look?How to Look?By Data GroupingData Anomaly AlarmsMap/Relationship PolicyUser Defined CriteriaDemo
2 2014 Lancope, Inc. All rights reserved. Crown JewelsCard holder data (PCI)Patient records (HIPAA)Trade secretsCompetitive information (M&A)Employee data (PII)State SecretsData that is valuable to attackers3 2014 Lancope, Inc. All rights reserved. Why do attackers care?AttackerJewelMotivationCriminalsPCI Data$4-$12/cardCriminalsPatient Records$30-$50/recordActivistsAnythingShamingState SponsoredTrade SecretsGeopoliticalState SponsoredPatient Records?!?!!!! 2014 Lancope, Inc. All rights reserved. WANDATACENTERACCESSCORE3560-X
VPC Servers3925 ISR
Nexus 7000 UCS with Nexus 1000v 2014 Lancope, Inc. All rights reserved. Where to Look?North, South, EAST AND WEST = Every Communication 2014 Lancope, Inc. All rights reserved. 5SignatureAnomaly BehaviorAdvanced Detection MethodsSignature = Object against blacklistIPS, Antivirus, Content FilterBehavior = Inspect Victim behavior against blacklistMalware Sandbox, NBAD, HIPS, SEIMAnomaly = Inspect Victim behavior against whitelistNBAD, Quantity/Metric basednot Signature based
SignatureBehaviorAnomaly Known ExploitsBESTGoodLimited0-day ExploitsLimIted BESTGoodCredential AbuseLimitedLimited BESTThere are three ways Lancope detect things. For Signatures, Lancope augments this with our SLIC Threat Feed. Our StealthWatch Labs group of researchers work with external parties that define and develop URLs and IPs that are known to be bad, that you can put into your system and you can match those against every single conversation in your network, right. So its real-time, its ubiquitous across your enterprise, its high value. Anomaly detection is our threshold-based alerting, so that when we drop in a system, we are going to create high concern index events on day one based on devices that exceed acceptable thresholds of noise. Within our behavior-based system, you have to have thresholds on both low-end and high-end because the behavior of a host will actually live in between those two areas. But what this means is, for super slow attackers that are doing actually very little traffic, those will alert below a threshold; and for very noisy volumetric-based DDoS attacks that are coming in via UDP floods, those actually become threshold-based alarms as well.
The behavior-based alarms come with the fact that we are building this learned baseline overtime. Minimum of seven days to create a baseline, expands out to 30 days, rolls overtime, most heavily weighted on the last couple weeks of activity. It is, this is where we are actually able to detect things like worm activity and worm propagation and beaconing hosts, things like data hoarding and data exfiltration. These are based on conditions, statistical conditions that weve learned about you as a user on your network.
You the customer have already invested early in signature based technology and it is not like that stuff is no longer effective, it is just that your adversary has advanced and so must you. Behavior and Anomaly detection methods address the problem of not knowing what you are looking for ahead of time as in your zero-day exploitation. Behavior based detection contain the threat and observe the behavior with an objective to dynamically build a blacklist or a list of bad things; Anomaly detection leverages known good behavior or actions either as inherit to the protocols, statistically collected from the traffic, or asserted by the user; this whitelist or list of norms allow the detection to be based not on abnormalities but on the differences that make the difference.6The New Security Model 2014 Lancope, Inc. All rights reserved. BEFOREDiscoverEnforce HardenAFTERScopeContainRemediateAttack ContinuumNetworkEndpointMobileVirtualCloudDetect Block DefendDURING
Point in TimeContinuous
By Data GroupingFind your dataPull the thread with Top Peers/Flow TablesHost Group Policies with lower tolerance
Find your jewels8
2014 Lancope, Inc. All rights reserved. Data Anomaly AlarmsSuspect Data HoardingTarget Data HoardingTotal TrafficSuspect Data LossCounting Access9
2014 Lancope, Inc. All rights reserved.
Map the SegmentationLogical vs. PhysicalMap SegmentationWatch the logical roadways10 2014 Lancope, Inc. All rights reserved. Custom EventsEvolution of HLVAlert when Segmentation failsAllows for NOR logicAlert on Zero Tolerance11
2014 Lancope, Inc. All rights reserved. DEMO 2014 Lancope, Inc. All rights reserved.1211/20/2014Cisco Live 2013